---
sidebar_label: Duo
description: >-
  The '/identity/mfa/method/duo' endpoint focuses on managing Duo MFA behaviors in OpenBao.
---

## Configure Duo MFA method

This endpoint defines an MFA method of type Duo.

| Method | Path                           |
| :----- | :----------------------------- |
| `POST` | `/identity/mfa/method/duo/:method_id` |

### Parameters

- `method_id` `(string: "")` - Optional UUID to specify if updating an existing method.

- `method_name` `(string)` - The unique name identifier for this MFA method.

- `username_format` `(string)` - A template string for mapping Identity names to MFA methods. Values to substitute should be placed in `{{}}`. For example, `"{{identity.entity.name}}"`. If blank, the Entity's Name field is used as-is.

- `secret_key` `(string: <required>)` - Secret key for Duo.

- `integration_key` `(string: <required>)` - Integration key for Duo.

- `api_hostname` `(string: <required>)` - API hostname for Duo.

- `push_info` `(string)` - Push information for Duo.

- `use_passcode` `(bool: false)` - If true, the user is reminded to use the passcode upon MFA validation.

### Sample payload

```json
{
  "username_format": "{{identity.entity.aliases.auth_userpass_1793464a.name}}",
  "secret_key": "BIACEUEAXI20BNWTEYXT",
  "integration_key": "8C7THtrIigh2rPZQMbguugt8IUftWhMRCOBzbuyz",
  "api_hostname": "api-2b5c39f5.duosecurity.com",
  "method_name": "ns1_duo",
}
```

### Sample request

```shell-session
$ curl \
    --header "X-Vault-Token: ..." \
    --request POST \
    --data @payload.json \
    http://127.0.0.1:8200/v1/identity/mfa/method/duo
```

```shell-session
$ curl \
    --header "X-Vault-Token: ..." \
    --request POST \
    --data @payload.json \
    http://127.0.0.1:8200/v1/identity/mfa/method/duo/4194659f-139b-400b-b5dd-86bfb726759d
```

## Read Duo MFA method

This endpoint queries the MFA configuration of Duo type for a given method
ID.

| Method | Path                           |
| :----- | :----------------------------- |
| `GET`  | `/identity/mfa/method/duo/:id` |

### Parameters

- `id` `(string: <required>)` – UUID of the MFA method.

### Sample request

```shell-session
$ curl \
    --header "X-Vault-Token: ..." \
    --request GET \
    http://127.0.0.1:8200/v1/identity/mfa/method/duo/4194659f-139b-400b-b5dd-86bfb726759d
```

### Sample response

```json
{
  "data": {
    "api_hostname": "api-2b5c39f5.duosecurity.com",
    "id": "4194659f-139b-400b-b5dd-86bfb726759d",
    "integration_key": "BIACEUEAXI20BNWTEYXT",
    "pushinfo": "",
    "secret_key": "8C7THtrIigh2rPZQMbguugt8IUftWhMRCOBzbuyz",
    "type": "duo",
    "username_format": "{{identity.entity.aliases.auth_userpass_1793464a.name}}",
    "use_passcode": false
  }
}
```

## Delete Duo MFA method

This endpoint deletes a Duo MFA method. MFA methods can only be deleted if they're not currently in use
by a [login enforcement](/api-docs/secret/identity/mfa/login-enforcement).

| Method   | Path                           |
| :------- | :----------------------------- |
| `DELETE` | `/identity/mfa/method/duo/:id` |

### Parameters

- `id` `(string: <required>)` - UUID of the MFA method.

### Sample request

```shell-session
$ curl \
    --header "X-Vault-Token: ..." \
    --request DELETE \
    http://127.0.0.1:8200/v1/identity/mfa/method/duo/4194659f-139b-400b-b5dd-86bfb726759d
```

## List Duo MFA methods

This endpoint lists Duo MFA methods that are visible.

| Method | Path                       |
| :----- | :------------------------- |
| `LIST` | `/identity/mfa/method/duo` |

### Sample request

```shell-session
$ curl \
    --header "X-Vault-Token: ..." \
    --request LIST \
    http://127.0.0.1:8200/v1/identity/mfa/method/duo
```

### Sample response

```json
{
  "data": {
    "keys": [
      "4194659f-139b-400b-b5dd-86bfb726759d"
    ]
  }
}
```
